Cyber Incident Victim: PIK Group
Date:
Feb 2019
Location:
Russia
Summary
A targeted attack against a major Russian real estate firm involved a malicious ZIP file delivered via phishing, containing heavily obfuscated JavaScript disguised as order details. The script deployed a multi-stage payload executing three modules: Troldesh ransomware encrypting files with a ".crypted000007" extension and altering system wallpapers, a cryptocurrency miner generating approximately 4.89 ZCash for attackers, and a Trojan-Heur malware enabling credential theft, remote system control, and brute-force attacks against WordPress sites. The combined use of ransomware, mining, and credential harvesting tools suggested financially motivated actors seeking immediate profit through encryption demands and covert mining while maintaining persistent access. The inclusion of noisy brute-force activity contrasted with typical stealth objectives, indicating possible botnet misuse or profit-maximizing tactics rather than state-sponsored espionage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
On or around February 28, 2019, a cybersecurity researcher received an unsolicited email containing a link to a malicious ZIP file named "pik.zip," purportedly detailing order information for PIK-Group, a major Russian real estate firm with over 14,000 employees. The ZIP file contained a heavily obfuscated JavaScript file with a Cyrillic filename ("Группа Компаний ПИК подробности заказа"), which translated to "PIK Group of Companies order details." Analysis revealed the script employed two obfuscation techniques: fake conditional statements (static forks) and dynamically constructed function blocks from nested strings. Upon execution, the script (Stage0) deployed a UPX-packed Windows PE file disguised as "msg.jpg," initiating a second stage that downloaded and executed three additional malicious modules: a ransomware variant, a cryptocurrency miner, and a brute-force Trojan.
The ransomware component was identified as a Troldesh variant (327B0EF4.exe), which encrypted files, appended the ".crypted000007" extension (e.g., renaming "1.jpg" to "hmv8IGQE5oYCLEd2IS3wZQ==.135DB21A6CE65DAEFE26.crypted000007"), generated ten ransom notes ("README1.txt" to "README10.txt") on the desktop, and altered the wallpaper. The miner component funneled proceeds to a ZCash wallet, which recorded 4.89 ZCash by February 26, 2019, suggesting recent deployment or a limited botnet. The third module (B56CE7B7.exe) was identified as HEUR.Trojan.Win32.Generic, a Trojan known for brute-forcing WordPress sites, harvesting credentials, enabling remote access, and injecting malicious ads or links. The Trojan propagated itself using the original "pik.zip" filename, enabling potential identification of compromised websites via search engines. The attack’s combination of ransomware (immediate financial extortion), stealthy mining (long-term resource exploitation), and noisy brute-force activity (credential harvesting and lateral movement) created operational contradictions, as the latter’s high visibility conflicted with the miner’s need for persistence. No specific containment actions by PIK-Group were detailed in the source material, though the malware’s reuse of known components and mixed objectives led analysts to assess it as financially motivated rather than a state-sponsored operation.